Академический Документы
Профессиональный Документы
Культура Документы
on
Technolo
gy Cyber
Security
Policy
(Insert Name of
Organization)
SAMPLE
TEMPLATE
Organizations
are
encouraged to develop
their own policy and
procedures
from
the
information
enclosed.
Please feel free to change
any
portion
of
this
document to meet your
specific needs.
The information provided
is just one example and
should not preclude any
organization from other
(Insert Date)
1 DEFINITION
The use of the term company is in reverence to the following organization:
(Insert Organization Name).
2 INTRODUCTION
This Cyber Security Policy is a formal set of rules by which those people who
are given access to company technology and information assets must abide.
The Cyber Security Policy serves several purposes. The main purpose is to
inform company users: employees, contractors and other authorized users of
their obligatory requirements for protecting the technology and information
assets of the company. The Cyber Security Policy describes the technology
and information assets that we must protect and identifies many of the
threats to those assets.
The Cyber Security Policy also describes the users responsibilities and
privileges. What is considered acceptable use? What are the rules regarding
Internet access? The policy answers these questions, describes user
limitations and informs users there will be penalties for violation of the policy.
This document also contains procedures for responding to incidents that
threaten the security of the company computer systems and network.
GREEN
WHITE
BLACK
Version Date Page 2
Description
Example
Server containing
confidential data and other
department information on
databases. Network routers
and firewalls containing
confidential routing tables
and security information.
non-sensitive information.
4 DEFINITIONS
Externally accessible to public. The system may be accessed via the
Internet by persons outside of the company without a logon id or password.
The system may be accessed via dial-up connection without providing a
logon id or password. It is possible to ping the system from the Internet.
The system may or may not be behind a firewall. A public Web Server is an
example of this type of system.
Non-Public, Externally accessible. Users of the system must have a valid
logon id and password. The system must have at least one level of firewall
protection between its network and the Internet. The system may be
accessed via the Internet or the private Intranet. A private FTP server used to
exchange files with business partners is an example of this type of system.
Internally accessible only. Users of the system must have a valid logon id
and password. The system must have at least two levels of firewall
protection between its network and the Internet. The system is not visible to
Internet users. It may have a private Internet (non-translated) address and it
does not respond to a ping from the Internet. A private intranet Web Server
is an example of this type of system.
Chief Information Officer. The Director of the Department of Information
Technology (IT) shall serve as the Chief Information Officer.
Security Administrator. An employee of IT shall be designated as the
Security Administrator for the company.
5 Threats to Security
5.1 Employees
One of the biggest security threats is employees. They may do damage to
your systems either through incompetence or on purpose. You have to layer
your security to compensate for that as well. You mitigate this by doing the
following.
Only give out appropriate rights to systems. Limit access to only
business hours.
Version Date Page 4
6 User Responsibilities
This section establishes usage policy for the computer systems, networks
and information resources of the office. It pertains to all employees and
contractors who use the computer systems, networks, and information
resources as business partners, and individuals who are granted access to
the network for the business purposes of the company.
Users shall not purposely engage in activity with the intent to: harass other
users; degrade the performance of the system; divert system resources to
their own use; or gain access to company systems for which they do not
have authorization.
Users shall not attach unauthorized devices on their PCs or workstations,
unless they have received specific authorization from the employees
manager and/or the company IT designee.
Users shall not download unauthorized software from the Internet onto their
PCs or workstations.
Users are required to report any weaknesses in the company computer
security, any incidents of misuse or violation of this policy to their immediate
supervisor.
Security Administrator
Systems Analyst/Programmer
Contractors/Consultants
7 Access Control
Users are not allowed to access password files on any network infrastructure
component. Password files on servers will be monitored for access by
unauthorized users. Copying, reading, deleting or modifying a password file
on any computer system is prohibited.
Users will not be allowed to logon as a System Administrator. Users who need
this level of access to production systems must request a Special Access
account as outlined elsewhere in this document.
Employee Logon IDs and passwords will be deactivated as soon as possible if
the employee is terminated, fired, suspended, placed on leave, or otherwise
leaves the employment of the company office.
Supervisors / Managers shall immediately and directly contact the company
IT Manager to report change in employee status that requires terminating or
modifying employee logon access privileges.
Employees who forget their password must call the IT department to get a
new password assigned to their account. The employee must identify
himself/herself by (e.g. employee number) to the IT department.
This policy applies to all third-party connection requests and any existing
third-party connections. In cases where the existing third-party network
connections do not meet the requirements outlined in this document, they
will be re-designed as needed.
Version Date Page 9
The company takes the issue of security seriously. Those people who use the
technology and information resources of company must be aware that they
can be disciplined if they violate this policy. Upon violation of this policy,
an employee of company may be subject to discipline up to and
including discharge. The specific discipline imposed will be determined by
a case-by-case basis, taking into consideration the nature and severity of the
violation of the Cyber Security Policy, prior violations of the policy committed
by the individual, state and federal laws and all other relevant information.
Discipline which may be taken against an employee shall be administrated in
accordance with any appropriate rules or policies and the company Policy
Manual.
Version Date Page 10